A number of vulnerabilities were discovered and corrected in the Linux
2.6 kernel:

Prior to Linux kernel 2.6.16.5, the kernel does not properly handle
uncanonical return addresses on Intel EM64T CPUs which causes the
kernel exception handler to run on the user stack with the wrong GS
(CVE-2006-0744).

The selinux_ptrace logic hooks in SELinux for 2.6.6 allow local users
with ptrace permissions to change the tracer SID to an SID of another
process (CVE-2006-1052).

Prior to 2.6.16, the ip_push_pending_frames function increments the IP
ID field when sending a RST after receiving unsolicited TCP SYN-ACK
packets, which allows a remote attacker to conduct an idle scan attack,
bypassing any intended protection against such an attack
(CVE-2006-1242).

In kernel 2.6.16.1 and some earlier versions, the sys_add_key function
in the keyring code allows local users to cause a DoS (OOPS) via keyctl
requests that add a key to a user key instead of a keyring key, causing
an invalid dereference (CVE-2006-1522).

Prior to 2.6.16.8, the ip_route_input function allows local users to
cause a DoS (panic) via a request for a route for a multicast IP
address, which triggers a null dereference (CVE-2006-1525).